Is GovPass right for digital ID?
GovPass: It needs to be simple, secure, and private
For several years, the DTA has been working on getting its version of digital identity right. When it goes into public beta later this year, the Trusted Digital Identity Framework (TDIF) will manifest itself as GovPass, a federated way of holding and proving your digital identity using an exchange mechanism, where identity documents are not passed back and forth between parties.
According to the DTA, the successful implementation of the TDIF will be evident when people are able to simply and securely establish a digital identity through the provider of their choice.
Citizens will be able to safely reuse that identity to transact across all tiers of government and within the private sector, with their privacy assured.
The success of the TDIF will also be measured on the number of people that can complete the digital identity verification process without having to visit a shop-front or call the help desk for support.
The DTA is developing a dashboard to report transparency on this ease of use, along with a general measure of user satisfaction.
The shift towards a digital identity framework is being funded by a $92 million budget allocation for the 2018/19 financial year. This program includes $61 million in new money for the DTA, with additional funds drawn from the existing budget of the ATO and the Department of Human Services.
The money is intended to fund the completion of the GovPass program, as well as complete the ATO’s identity provider platform and the Department of Human Services’ ID exchange.
As part of the funding, the DTA will test the delivery of GovPass across a range of services, including online applications for a Tax File Number, as well as digital health.
The project has not been without its critics, who say it is proving expensive. There is also a view that government is reinventing the wheel in digital ID
The TDIF, and the associated GovPass program, is intended to facilitate a number of outcomes in order to measure its success. It has to be simple, in terms of creating an end-to-end digital identity that people will want to use. It also has to be accessible to all citizens regardless of their abilities or their environment.
Security and privacy are also regarded as paramount goals in the process of rolling out the TDIF and GovPass.
The DTA states that privacy and the protection of personal data have been carefully considered at all stages of the project, as well as in the development of new technologies.
Privacy is protected by an exchange, which limits the information that is flowing between the verifier and the government or private sector industry that is being dealt with by the consumer.
The technology behind the exchange means that the service doesn’t actually see the end-user’s personally identifiable documents, and the provider of the verification service doesn’t know what government service the user is trying to access.
The DTA states that the exchange acts as a double-blind and ensures that all parties are trusted and secure. User consent is critical, as all use of personal data is controlled by the user, and nothing is shared without their permission.
The TDIF and GovPass is also claimed to have adopted privacy enhancing principles as part of its design and architecture. These principles focus on several key areas. These include limiting the collection, use and disclosure of personal information to a narrow purpose, minimising the collection and retention of information, as well as keeping data stores separate.
GovPass will also only collect and retain the minimum amount of information for verifying identities. Once the identity is verified, only the essential information is kept, and the rest is discarded.
According to the DTA, these rules minimise function creep, which is the widening of the use of a system beyond the purpose for which is was originally intended.
Users also have the choice of opting in and out of the system, and are able to revoke their account at any time.
The DTA has received significant feedback on the GovPass and TDIF process, and states that there are several aspects of the overall process which remain to be addressed.
These remaining items include governance roles and responsibilities for identity federation, along with warranties, liability allocation and dispute resolution.
Other aspects that remain to be addressed also include how the TDIF manages the requirement to obtain user consent multiple times within the identity proofing process, as well as the applicability of transparency reports to Identity Service Providers and Attribute Providers.
In addition to those aspects, the use of biometrics such as face matching remain to be clarified.